<aside> π§ A good auditor never makes mistrakes v3.final
</aside>
Botto is a decentralized, autonomous artist governed by $BOTTO holders.
ElevenYellow approached GoldmanDAO to perform a review of their new Botto NFT smart contracts. From March 30th to April 13th, 2022, the GoldmanDAO team conducted the review of the source code provided.
Our goal with this review is to assess any vulnerabilities that may be found in the current codebase and help the team to verify their implementation works as intended. Details on the scope and findings are collected in this document.
The code to review was frozen on March 8th, 2022 at commit https://github.com/GoldmanDAO/botto-nft-contracts/commit/0881729057a39b055a4c3c45efdc1ae96c8fdc1a in https://github.com/GoldmanDAO/botto-nft-contracts. This new repository was not reviewed before. To this point in time the repository contains a total of 7 contracts.
βββ ethereum
βΒ Β βββ BottoActiveReward.sol
βΒ Β βββ BottoRetroactiveReward.sol
βΒ Β βββ IBottoGovernance.sol
βΒ Β βββ Migrations.sol
βΒ Β βββ MockBottoGovernance.sol
βββ polygon
βββ BottoERC1155.sol
βββ Migrations.sol
The main contracts and the ones that will be auditet are:
All 3 contracts inherit from Openzeppelinβs upgradable contracts. Last official audit was perform for the v2.0 of the framework in 2018 and can be found here https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/master/audit/2018-10.pdf.
The additional 4 contracts in the repository are support contracts from integrations and project setup, including:
Our initial review resulted in 5 mayor findings including by severity: